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CLAIMS 



[Claim(s)] 

[Claim 1]A communication log disposal method comprising: 

(a) A process of carrying out the conversion process of each analysis object log file which application which 
can record two or more communication logs outputted to a predetermined format when required. 

(b) A process of unifying two or more analysis object logs changed into said predetermined format. 

(c) A process of judging existence of unlawful access by analyzing a log after being unified. 

[Claim 2]A log communication processing method, wherein said two or more analysis object log files are 
recorded about the same system in the communication log disposal method according to claim 1. 
[Claim 3]A communication log disposal method having further the process of distinguishing compatibility 
between said two or more analysis object logs, and outputting the discriminated result before the (d) 
aforementioned (a) process or the (b) process in the communication log disposal method according to claim 
2. 

[Claim 4]In the communication log disposal method according to claim 1, the aforementioned (a) process, A 
communication log disposal method being what has the process of changing said analysis object log file into 
a predetermined format, using a conversion procedure which outputted said analysis object log file, and 
which was beforehand prepared for every application. 

[Claim 5]A communication log disposal method having further the process of updating a conversion 
procedure beforehand prepared for said every application to predetermined timing in the communication log 
disposal method according to claim 1. 

[Claim 6]A communication log disposal method having further the process of classifying a line which belongs 
from said analysis object log before the (e) aforementioned (a) process or the (b) process at the same 
session in the communication log disposal method according to claim 1. 

[Claim 7]A communication log disposal method to which a line which cannot distinguish the session which 
belongs is characterized by having further the process of distinguishing to which session it belonging based 
on a line from which the aforementioned (e) process can distinguish the session which belongs among an 
analysis object log in the communication log disposal method according to claim 6. 

[Claim 8]A communication log disposal method characterized by the aforementioned (b) process being what 
unifies said two or more analysis object logs for every same session in the communication log disposal 
method according to claim 1. 

[Claim 9]A communication log disposal method characterized by the aforementioned (c) process being what 
distinguishes existence of unlawful access for every analysis object log integrated for said every same 
session in the communication log disposal method according to claim 8. 
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which can record two or more communication logs outputted to a predetermined format when required. 

(b) A means to unify two or more analysis object logs changed into said predetermined format. 

(c) A means to judge existence of unlawful access by analyzing a log after being unified. 

[Claim 12]A log communication processing system, wherein said two or more analysis object log files are 
recorded about the same system in the communication log processing system according to claim 11. 
[Claim 13] A communication log processing system having further a means to distinguish compatibility 
between analysis object logs of the (d) aforementioned plurality, and to output the discriminated result in 
the communication log processing system according to claim 1 2. 

[Claim 14]In the communication log processing system according to claim 1 1, the aforementioned (a) means, 
A communication log processing system being what has a means to change said analysis object log file into 
a predetermined format, using a conversion procedure which outputted said analysis object log file, and 
which was beforehand prepared for every application. 

[Claim 15] A communication log processing system having further a means to update a conversion 
procedure beforehand prepared for said every application to predetermined timing in the communication log 
processing system according to claim 1 1 . 

[Claim 1 6]A communication log processing system having further a means to classify a line belonging to the 
same session from the (e) aforementioned analysis object log in the communication log processing system 
according to claim 11. 

[Claim 17]In the communication log processing system according to claim 16, the aforementioned (e) means, 
A communication log processing system having further a means to distinguish to which session a line which 
cannot distinguish the session which belongs belongs based on a line which can distinguish the session 
which belongs among an analysis object log. 

[Claim 18]A communication log processing system characterized by the aforementioned (b) means being 
what unifies said two or more analysis object logs for every same session in the communication log 
processing system according to claim 11. 

[Claim 19]A communication log processing system characterized by the aforementioned (c) means being 
what distinguishes existence of unlawful access for every analysis object log integrated for said every same 
session in the communication log processing system according to claim 18. 

[Claim 20]A communication log processing system characterized by the aforementioned (c) means being 
what classifies by color and displays the possibility of unlawful access for said every session in the 
communication log processing system according to claim 19. 

[Claim 2l3Computer software program products which collaborate with operation system installed in a 
computer system, and perform analysis processing of a communication log, comprising: 
A storage. 

Ca") a mPAnf; whir.h MrriftR nut thp. nnnMPin^lnn nrnr.ftRR nf ftar.h ;)n;:«l\/<:i<^ nhiftr.t \nff filft whir.h it wfls Rtorp.H in 



Best Available Copy 



JP 2002-318734 

(c) A means to judge existence of unlawful access by being stored in said storage and analyzing a log after 
being unified. 

[Claim 22]A log communication processing system, wherein said two or more analysis object log files are 
recorded about the sanie system in the computer software program product according to claim 21. 
[Claim 23]Computer software program products having further a means to be stored in the (d) 
aforementioned storage, to distinguish compatibility between said two or more analysis object logs in the 
computer software program products according to claim 22, and to output the discriminated result. 
[Claim 24]In the computer software program product according to claim 21, the aforementioned (a) means, 
Computer software program products being what has a means to change said analysis object log file into a 
predetermined format, using a conversion procedure which outputted said analysis object log file, and which 
was beforehand prepared for every application. 

[Claim 25]Computer software program products having further a means to update a conversion procedure 
beforehand prepared for said every application to predetermined timing in the computer software program 
products according to claim 21. 

[Claim 26]Computer software program products which are stored in the (e) aforementioned storage in the 
computer software program products according to claim 21, and are characterized by having further a 
means to classify a line belonging to the same session from said analysis object log. 

[Claim 27]In the computer software program product according to claim 26. the aforementioned (e) means, 
Computer software program products having further a means to distinguish to which session a line which 
cannot distinguish the session which belongs belongs based on a line which can distinguish the session 
which belongs among an analysis object log. 

[Claim 28]Computer software program products characterized by the aforementioned (b) means being what 
unifies said two or more analysis object logs for every same session in the computer software program 
products according to claim 21. 

[Claim 29]Computer software program products characterized by the aforementioned (c) means being what 
distinguishes existence of unlawful access for every analysis object log integrated for said every same 
session in the computer software program products according to claim 28. 

[Claim 30]Computer software program products characterized by the aforementioned (c) means being what 
classifies by color and displays the possibility of unlawful access for said every session in the computer 
software program products according to claim 29. 
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two or more log outputs are possible can be analyzed systematically etc. 
[0002] 

[Description of the Prior Art]The incidents in which the network and server of a company or government 
and municipal offices are attacked by a cracker etc. these days are occurring frequently. Attentions have 
gathered for strengthening of network security by this. In order to strengthen network security, it is 
necessary to supervise and analyze network security first. It is effective in the surveillance of network 
security to record and analyze the communication log of devices, such as a server which constitutes a 
network. 

[0003]Communication histories, such as a server, are recorded, and this communication log is analyzing this 
and can detect all the phenomena which happened to this server. For example, it is detectable that there was 
unlawful access based on there having been unnatural access from the exterior to said server. Therefore, 
network security can be strengthened with forming a certain measure according to this. 
[0004] 

[Problem(s) to be Solved by the Invention]However, the log usually outputted from a server is recorded in a 
format different, respectively by OS and the application currently used of the computer, and is various. 
Since the quantity is too much huge, it is common that the network is employed in the state where time 
whether the contents can be checked and for checking is not securable and where there is a system 
management top problem. 

[0005]Since the cracker which devises an attack to a network alters or deletes said log in order to eliminate 
the trace of network penetration of self, it is very difficult to discover such unlawful access in this case. 
[0006]This invention is made in view of such a situation, and is a thing. 

The purpose is to provide the log processing method and system which can discover unlawful access etc. 
without requiring advanced knowledge and experience of a person. 

[0007] 

[Means for Solving the Problem]A process of carrying out the conversion process of each analysis object 
log file which application which can record a communication log of (a) plurality outputted to a predetermined 
format according to the 1st main viewpoint of this invention when required in order to solve an 
aforementioned problem, (b) A communication log disposal method having a process of unifying two or more 
analysis object logs changed into said predetermined format, and the process of judging existence of 
unlawful access by analyzing a log after (c) integration was carried out is provided. 

[0008]According to such composition, a format of two or more log files is unified by a method which was 
able to be defined for every log file, and it becomes possible to detect unlawful access which cannot be 
distinguished with an independent log file by unifying them. 
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files according to such composition, it can be distinguished by unifying these whether it is that in which an 
event in the system concerned includes unlawful access. It is detectable by distinguishing compatibility 
during two or more files that a part of files were altered. 

[001 1]If it depends like 1 operative condition, the aforementioned (a) process has the process of changing 
said analysis object log file into a predetermined format, using a conversion procedure beforehand prepared 
for every application with this another invention which outputted said analysis object log file. As for this 
method, it is preferred to have further the process of updating a conversion procedure beforehand prepared 
for said every application to predetermined timing. 

[0012]By using a procedure beforehand prepared for every analysis object log file, it becomes possible to 
analyze a log efficiently. It becomes possible by updating this procedure suitably to raise accuracy of log 
analysis. 

[001 3] According to further another embodiment of 1, it has further the process of classifying a line 
belonging to the same session from said analysis object log before the (e) aforementioned (a) process or the 

(b) process. In this case, as for the aforementioned (e) process, it is preferred among an analysis object log 
that it is what distinguishes to which session a line which cannot distinguish that session that belongs 
belongs based on a line which can distinguish that session that belongs. 

[0014]According to such composition, apparently, even if it belongs to which session or is an unknown line, 
it becomes possible to classify at a suitable session. Therefore, it is effective in the ability to conduct next 
log analysis efficiently and effectively. 

[0015]The aforementioned (b) process is further another thing that will unify said two or more analysis 
object logs for every same session if it depends like 1 operative condition. In this case, the aforementioned 

(c) process distinguishes existence of unlawful access for every analysis object log integrated for said every 
same session. In this case, as for the aforementioned (c) process, it is desirable that it is what classifies by 
color and displays the possibility of unlawful access for said every session. 

[0016]According to such composition, by summarizing each log for every session at the time of log 
integration, unlawful access can be distinguished effectively and a display of the result becomes easy. 
[001 7]A means which according to the 2nd main viewpoint of this invention carries out the conversion 
process of each analysis object log file which application which can record a communication log of (a) 
plurality outputted to a predetermined format when required, (b) A communication log processing system 
having a means to unify two or more analysis object logs changed into said predetermined format, and a 
means to judge existence of unlawful access by analyzing a log after (c) integration was carried out is 
provided. 

[0018]According to such composition, a system which can perform a method concerning said 1st viewpoint 
can be obtained. 

[0019]According to the 3rd main viewpoint of this invention, are the computer software program products 
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Computer software program products having a means to judge existence of unlawful access by being stored 
in said storage and analyzing a log after being unified are provided. 

[0020]According to such composition, the same effect as a method concerning main viewpoints of the 
above 1 st can be acquired. 

[0021]Other features of this invention and a prominent effect are more clearly understood by referring to a 

paragraph and an attached drawing of an embodiment of the next invention. 

[0022] 

[Embodiment of the Invention]Hereafter, an embodiment of the invention is described based on a drawing. 
[0023]First, it is a server of a surveillance object which that one shows shows by the log analyzing system 
of this embodiment, and 2 among drawing 1 . The log analyzing system 1 of this embodiment does so the 
function to receive and analyze onHine the communication log which said server 2 outputted, in order to 
discover unlawful access from a cracker, for example. 

[0024]That is, in said server 2, the record and the output of the communications processing of the various 
server applications 3 are done using the log record program 4. And the log transport agent 5 similarly 
installed in this server 2 transmits said communication log to said log analyzing system 1 in real time through 
LAN, a public line, and other communications networks. This log analyzing system 1 is stored in the analysis 
object log storage 7 in which the received communication log was provided by this log analyzing system 1. 
[0025]Taking out and analyzing the communication log stored in said analysis object log storage 7 to 
predetermined timing searches for the existence of unlawful access in said log analyzing system 1 (process 
shown in drawing 1 by 8). and the analysis result is outputted for example, in list form — it is like (process 
shown in drawing 1 by 9). 

[0026]The log analyzing system 1 of this invention carries out the integrating process of the various 
communication logs. In order to correspond to this, in the server 2 of this embodiment, the same event is 
recorded on two or more log files, and it transmits to this log analyzing system 1. Drawing 2 (a) and (b) 
shows the example of the record method of such a communication log. 

[0027]As shown in drawing 2 (a) in this case, said server 2 Namely, two or more server applications A about 
the same event. As the communication log of B may be recorded on different communications log file A 
using two or more log record programs 4A and 4B. and B and it is shown in drawing 2 (b), The 
communication log of two or more applications A and B may be recorded on different communications log 
file A using the single log record program 4A, and B. 

[0028]In this case, as for said two or more log files, it is preferred that it is a different thing prepared for 
every facility. For example, in this embodiment, the communication log for every facility is recorded on 
'Vvar/log / facility name .log" about the same event In this embodiment, the communication log of all the 
facility about the same event is recorded on one file "/var / log/all.log" for the reference consistency with 
the communications log file for every above-mentioned facility. 
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the analysis performed with this analyzing system besides said analysis object log storage 7, The unification 
log storage 21 which stores the log after the format was unified, the unified analysis object log storage 22 
which stores the analysis object log integrated, and the analysis result storage 23 which stores the analysis 
result of a log are formed. 

[0032]The updated default analysis condition file 24a which security contractors, such as an applicant of 
this application, provide, and the user setting^out analysis condition file 24b which the user of this system 
set up based on this default analysis condition file are stored in said analysis condition storage 19. 
[0033]If the thing only related to this invention is mentioned to the program storing part 16, The analysis 
condition set part 25 for setting up the terms and conditions of said analysis, and the log format conversion 
treating part 26 which carries out the conversion process of said analysis object log file to a predetermined 
unified format, and stores it in said unification log storage 21 so that comparison or combination with mutual 
may be possible. The compatibility discrimination section 27 which distinguishes the compatibility between 
two or more analysis object logs, and the log integration processing part 28 which unifies two or more 
analysis object logs changed into said predetermined format, The log sorting process part 29 which 
classifies the line which belongs to the same facility from said analysis object log integrated, It has the log 
analysis processing part 30 which judges the existence of unlawful access by analyzing said classified 
analysis object log, and the analysis result reflection treating part 36 for making the analysis result by this 
log analysis processing part 30 reflect in said analysis setting out. 

[0034]The log integration processing part 28 has the session discrimination section 31 which distinguishes 

whether it is classified at which session about the line which cannot distinguish a session based on the line 

which can be classified among an analysis object log. 

[0035]The log analysis processing part 30 is provided with the following. 

Connection IP analyzer 33 which judges unlawful access based on a connection IP address. 

Connect time analyzer 34 which judges unlawful access based on connect time. 

Pattern analyzer 35 which judges the existence of unlawful access by comparing with the connection 

pattern which prepared said log beforehand. 

[0036]These components are the programs actually installed in the fixed field secured to the storage of the 
computer system, and this field, and it is that are called by said CPU1 1 on RAMI 2 and it performs, It 
collaborates with OS (operation system) and the function of this invention is done so. 
[0037]Hereafter, the function and operation of the above-mentioned component are explained with the 
procedure of this system. 

[0038] Drawing 3 shows the procedure of the outline by this analyzing system 1. 

[0039]As shown in this figure, analysis of the communication log using this analyzing system 1 is conducted 
by wizard form, for example. When a wizard is started (Step SI), said analysis condition set part 25 makes an 
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operator which is not detailed setting Steps S3-S6 as network security, and in this embodiment. As shown 
in drawing 5 , "Regulation" which is setting out which is effective now "Web general relation" 40 which 
analyze unlawful access related to 38, "basic setting-out" 39 for conducting unlawful access analysis 
generally, and other WEB(s) of CGI, "ftp motion analysis" 41 which check the item related to Ftp. and 
manager authority, "root access analysis" 42 which have and analyze the record which operated, "scan 
motion analysis" 43 which analyze the housekeeping operation before receiving unlawful access, and the 
"mailing environment analysis" 44 grade which analyzes the abnormal operation of mailing environment can 
be chosen now. By choosing each setting out, the analytical item etc. by which default configuration was 
carried out about each setting out so that it might mention later can set up now automatically. Therefore, an 
operator may only correct these. 

[0041 ]In this embodiment, said security policies other than the above "regulation" can be set up now using 
the newest updated default analysis condition file 24a that security contractors, such as an applicant of this 
application, prepared. Therefore, when choosing choices other than the above "regulation", the operator 
can use the newest security policy, without being conscious. 

[0042]Next, in setting out (Step S3) of permission IP and refusal IP, IP (permission IP) which permits access 
for every facility, and IP (refusal IP) which refuses access can be set up now. Refusal IP which said security 
contractor added to said updated default analysis condition file 24a in this embodiment. Refusal IP which 
said analysis result reflection treating part 36 judged to be suitable as a result of the security diagnosis of 
this system is automatically displayed as a default based on the above selected policy. 
[0043]The pattern which should be supervised for every facility can be set up now in pattern setting out 
(step S4). For example, in APP, the pattern which should be supervised about a boot force attack, port scan, 
etc. can be set up now. The newest thing is always provided as a default by said default analysis condition 
file 24a provided also with such a pattern by said security contractor according to each policy. For this 
reason, the operator can perform optimal setting out, if a default pattern is applied fundamentally. 
[0044]next, an analysis object file — choosing (Step S5) — in this example, the file the directory set up as 
said analysis object log storage 7 and in that directory can be individually specified now. 
[0045]In selection of an analytical item, and selection (Step S6) of a report output kind, connection IP 
analysis, connect time analysis, and pattern analysis can be chosen now as an analytical item corresponding 
to said each connection IP analyzer 33, the connect time analyzer 34, and the pattern analyzer 35. In a 
report output item, when displaying the item which should be outputted in a report, for example, said 
communication log, it can be specified whether items, such as time and a facility name, are displayed. 
[0046]The item set up above is stored in the user setting-out analysis condition 24b of said analysis 
condition storage 19, and analysis succeedingly shown in drawing 4 at Step S7 is performed. 
[0047]Hereafter, this procedure is explained based on the flow chart of drawing 6 . 

[0048]First, said format conversion treating part 26 takes out the analysis object communication log set up 
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(xferlog) that recorded movement of the file in ftp presupposes that it is what is shown in drawing 7 (b). Here 
the 1 st log to being the form {the moon, a day, time, a server, a demon, and [PID] operation (connection IP 
and account are included)} the 2nd log, It is the form {a day of the week, the moon, a day. time, a year, 
connection IP, a file size, a file name, transfer mode, input and output, account, and a protocol). The way 
things stand, even if it performs the integrating process explained later, it becomes like drawing 8 , and since 
that analysis is difficult, said format conversion treating part 26 arranges these with a form as shown in 
drawing 9 at this embodiment. In this form, the form of the time stamp of the form of drawing 7 (a) and 
drawing 7 ( b) is doubled, and the display position of connection IP and the display position of account are 
arranged. 

[0050] Subsequently, said compatibility discrimination section 27 distinguishes the compatibility between the 
logs about the same event stored in said unification log storage 21 (step S7-2). 

[0051]For example, all the logs (/var/log/all.log) recorded about operation of ftp as the same event show 
drawing 10 (a), and the log (/var/log/auth.log) about attestation presupposes that it is what is shown in 
drawing 10 (bX Here, the form of drawing 10 (a) is the thing before being {the moon, a day, time, a server, a 
demon (or service), and [PID] operation (connection IP and account are included)} and performing account 
format unification of the expedient kickback of explanation. In this case, if the log of drawing 10 (b) is applied 
to description of the log of drawing 10 (a), respectively, it will become 9 and the 16 or 17th line. 
[0052]Said compatibility discrimination section 27 starts said all the logs by the most suitable method 
according to the kind of said log record program 4, and compares them with the log for every facility. In this 
example, all the logs of said drawing 10 (a) are started by using a "demon name" as a key, and it compares 
with said drawing 10 (b). As a result, when both are not in agreement, it can be judged that one of logs were 
altered. Here, all the logs are started by a demon name because said demon name (or service name) is being 
fixed for every facility. On the other hand, description of the same PID will be distributed by two or more 
logs in the record according to facility, and PID (process ID) is not preferred. 

[0053] Since such optimal method of starting changes with forms of a log, it is made to perform this process 
(step S7-2) after said form unification process (step S7-1) actually in this embodiment. It becomes possible 
to perform said comparison consistency by a fixed method by this. 

[0054]Next, said log integration processing part 28 unifies two or more analysis object logs changed into 
said predetermined format (step S7-3). It is because unifying may not understand the existence of an unjust 
attack from each log file here. 

[0055]For example, the 1st log (/var/log/info.log) shows drawing 1 1 (a) among the system logs (syslog) 
about the same event, and the case where the 2nd log (/var/log/auth.log) is what is shown in drawing 1 1 (b) 
is considered. In this case, the ftp session of session PID [2425] has doubt of unlawful access. However, as 
long as the 1st log is seen, the relation with PID [2425] carried out clearly does not understand even it by 
the grade by which the trace remains in the 3 times input of PID [2421] slightly. Conversely, the 2nd log 
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means is the Bluto force attack to ftp using Telnet 

[0057]Such analysis cannot be obtained from each log of drawing 1 1 (a) and drawing 1 1 (b). Therefore, it is 
necessary to combine and analyze these two logs. 

[0058] Hereafter, the log coupling method of this embodiment is explained. 

[0059]After this log integration processing part 28 unifies the format of each log at the format unification 
process mentioned above, it combines these and obtains the log combined like drawing 9 . That is, as 
mentioned above, about ftp, operation of itself and movement of a file are recorded on a separate log file 
( drawing 8 (a) and drawing 8 (b)). Since formats differ, these two logs are difficult to conduct the analysis, if 
it joined together simply. For this reason, these are combined after unifying by the method which mentioned 
the form of two logs above. 

[0060] However, in such an example, it becomes a problem that there is no description which specifies 

operation of ftp as the log of drawing 8 (b). In the example of drawing 8 and drawing 9 , since there is only one 

ftp, the specification is easy, but since the specification cannot be performed for example, when the 

identical time range has two or more ftp sessions, effective analysis can be conducted. 

[0061 ]For this reason, in this embodiment, processing which distributes the line the session of whose which 

distinguishes and belongs [ to which session each line of a log file belongs and ] is unknown at the 

above-mentioned log integration processing part 28 to a suitable session is performed. 

[0062]The example of the 1st log (syslog) in case drawing 13 (a) has two or more sessions in the time range, 

and drawing 13 (b) are the examples of the 2nd log (xferlog). The arranging [ unified these two logs by this 

log integration processing part 28, and ]-in order of time stamp-them thing after unifying a format like the 

above by said log format conversion treating part 26 is drawing 14 . 

[0063]In the unified log of this drawing 14 , it is quite difficult to analyze, since there is a session which 
overlaps with identical time or there is a session from the same IP. 

[0064]For this reason, in this log integration processing part 28, the attribute of a session is distinguished 
first (step S7-4). In this case, when the log of said drawing 13 (a) is divided for every PID, and the line which 
can be judged to be the same session is classified, as it is shown in drawing 15 (a) - (c), it turns out that 
three sessions exist. Therefore, PID, IP, and the connect time of each session distinguish that it seems that 
it is shown in drawing 1 6 f rom this result (step S7-5). 

[0065]The log of said drawing 13 (b) can be classified according to using this data at one of sessions, as 
shown in drawing 17 (a) - (c). 

[0066]Said log integration processing part 28 arranges said drawing 1 5 and drawing 1 7 in order of a time 
stamp the whole session, and obtains the result of drawing 1 8 (a) - (c) (step S7-6). Such a unified log is 
stored in said unified analysis object log storage 22. 

[0067]Subsequently, said classification distribution part 29 classifies said log integrated for every facility 
(step S7-7). According to this embodiment, the log stored in said unified analysis object log storage is taken 
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[0069] First, detection processing of "permission IP" set up above or "refusal IP" is performed by the 
connection IP analysis processing of step S7-8. IP and the domain which were set as permission IP will be 
removed from other following analysis objects. Subsequently. IP which connection established among IP 
detected as IP or said refusal IP other than permission IP is detected, and the log about this IP is extracted. 
[0070]Next. in the inaccurate connect time detection processing of step S7-9, the connection of those 
other than the time zone set up as a connect time belt is detected as inaccurate connect time, and the log 
concerning the inaccurate connect time concerned is extracted. 

[0071]Next, in pattern analysis of step S7-10, coincidence with said log and the pattern stored in said 
analysis condition storage is judged, and when in agreement, it detects as unlawful access. As for this 
pattern, being updated every day is preferred, therefore the updated pattern is supplied by the security 
contractor as said updated default analysis condition file 24a in this embodiment. The number of the 
patterns used by this embodiment is about 400. 

[0072]Finally, an analysis result is outputted at Step SB of drawing 4 . As for the output of this analysis 
result, it is preferred to be classified by color and displayed in red. yellow, etc.. corresponding to the 
possibility of unlawful access. To each session, this analysis result sets the flag according to the possibility 
of unlawful access, and stores it in said analysis result storage 23. 

[0073]The result of the analysis carried out in this way is reflected in said updated default analysis condition 
file 24a by said analysis result reflection treating part 36. For example, when there is IP judged to have 
accessed unlawfully as a result of said analysis, the IP concerned is stored in said default analysis condition 
file 24a as refusal IP. 

[0074]According to such composition, the format of two or more log files is unified, and it becomes possible 
to detect unlawful access which cannot be distinguished with an independent log file by unifying them. Since 
a security contractor is carried out based on the newest format unification method and integrating method 
which were updated to predetermined timing, for example, these processes can discover unlawful access 
etc., without requiring advanced knowledge and experience of a security management person. 
[0075]This invention is variously deformable in the range which is not limited to the one above-mentioned 
embodiment and does not change the gist of an invention. 

[0076]For example, although the server 2 is made into a surveillance object, it is not limited to this, and it 
may be made to supervise a router etc. in said one embodiment. 

[0077]At the one above-mentioned embodiment, although this invention was provided as a system and a 
method, it may do the function of this invention so by being provided as a software package stored in 
CD-ROM etc.. and being installed in a computer system. 
[0078] 

[Effect of the Invention]According to the composition explained above, the log processing method and 
system which can discover unlawful access etc. can be obtained, without requiring advanced knowledge and 
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Mie ( b ) ma. mimimmmo^^n—t'y 
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Mzii\,\X. 
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[0004] 

[00 0 5] ;t-y h7-^lC^LTijJlg^ftmft 
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[0 0 0 6] zcomit. :i<r>Xd^j:9mzm^X^j:^ 
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nb. z ff)mm 1 coi.m^j:m^^zxtni. (a) mm 
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t x'T^iET ^-^^xmrnmrntimt i^ti z b 

i:mbtmfia^mi^:f>T-Um^^ti^, 

[ 0 0 1 8 ] 9 ^j:mmzxixit. Buiem i comj^ 
izmhijmimnt^:ibPX'^ii^xTj^mi:ib 

[0019]$ ^>tc. :L<7Mm(^m3(r)im^j:^^zx 

oayf:L-l^Vyh^s.7royy M,mffaXh r> X . 

tmmb . ( a ) zcDimmwmmti. mmcDM 



i(5) 002-318734 (P2002-318734A) 



^mmthm b. ( b ) Bt)ieEiiiS5«5t;fsift$ ii, 
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wm7<rim. zmmi^y^Tj^x'mftim<^n^ 

m\^mim^f^mmm i9b. yt--?-/ 
-■^tifzmc7)ui/mmtm-\:'mm^2 ib.m 

mm 2 b . uycommmmrtim^^m^ifi 

U2 3btimifhtlX^^l. 
[ 0 0 3 2 ] ^i3, miB^^W^fl^lSlftgS 1 9 *ai 

yit)\^h^Vi^n-yr^fU24ab. i<0T7*;Ph:«- 

^^f^yr^Mzm-^\'^xz(r>iyX7-j>>mm^tim^ 
if^mmm^m^wy r>{)V2Ahb t^m^tix 

[0033] ^tz. rn^'-^AtSlrtgpi 6tCJ4, ZcrM 

m^z(r>^mmi>h(r>^mfhb. mtimff^mm-^ 

^yrA ivkm.\.z^^ L < \m^^-^ms: X 0 ^z%% 
o^-7*-v7 uz^mmLxmimr-vi^m^ 
2 1 \zm\^h u^y ^-^ -y Y^mm^ 2 6b. m 

7 b . ffiBJ5rs«07 h ^z^mtitzmmcom 
icimo^-i:m-^i-i>um-^mmu28b. mim^^ 

ymmm^ 3 0 1 , zcouyj^vimm^ 3ot,zxi>^ 
vif&^imiimik^izmi^-^^ fzi^m^f&^K^ 
>mmebt:^t&, 

[ 0 0 3 4 1 ^rtj. am-^mm qh. ^mmo 
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[00 35] ifc. u^^mummoii. mm pt 

^33 mmmzm':}\'^xT^iET9^xrmti 

^^^-ymu3 5t^^-th. 

[00 36] z.fii^ff)m^^m\,i. ^Igtctiayti- 

Ul ItcioTRAMl 2±^cP^t^t^i$i^•Cll^f§i^'& 
ZbX\ OS (^'^u-i/gyi^XrA) tW,mLX^ 

[ 0 0 3 7 ] WT. ilE^^^ScOSItg&lXI&f^&^O 

[0 0 38] 03J4, zmVr'y:^TM.l\.zXhn^<r> 

[0039] «lcr)|llcint J: o \,z. dO^^Cf i^^r A 1 

\,zX->X'<ihtih , ^^-Y^mh^ht (Xr-yr 
S 1 ) . i-f , B«ifi^*f^fMSSg|52 5ti^^^'yrS 2 
~ S 6 ;b-ti:l. . d c7)^^*T*ff^cO|S 

mi. m^Vi^-<OB.^ (Xr yrs 2 ) . If^ I P 
^1/1615 1 PcT)^^ (XT-y7°S3) , A-^-yf^^ 

(;^T7rs4) . mnmyr^jmm (xx^rs 

[ 0 0 4 0 ] ;dt\ Byie:«-Sf*rij i/-c7)iS^ (XT>y 
rS2) {i. ^-y ^'7-^?•fe4rA>Jx-^^3ilL<^rV^:t 
/<l^-:?*Ur >y7'S 3~S 6iOiS^Sr-ri>ll(^)flta& 

li < -r ^ci^io i cox'h 0 , d ionj^g.^Tii .msiz 

^s-rxoiz. m&^mz^j:^x\'^iik&x'hi> 

38. ^mmizT^iEr^-txmt:ndtz>^(7) ^m^m 

3 9. CGKOflilWEBt^M^-rS^iET^-bXSr 

rwe braH-^J 4 0. Ftpizmi^-tm 

4 2. T^jET^-^:^i:^ifm<^mmm^:^m- 

^ r s c a nlftf^i^^f J 4 3 . ^-/U^^cOM^Iftf^S: 

^iS^tcov T 7 ^ iiy^i^^f « @ gffij 

W^Cl^^t'l'I.J:o^3^-^TV^|,. UcA^oT. ?r'^^' 
[ 0 0 4 1 ] Cco^MTOi. 

7 :fyu h^5f^fr7 r 2 4 a Srf ijffl LTfflE 



[0042] I pmm I p<oiss (XT 

•y7'S3) Xli. 7rvUT^^l3T^-bX$-f^Br-t^ 

I p (it^ I p ) ^r^?^x^tgs-ri. IP (tgs I 
p ) I. J; 3 ti'Sr o T V ^ I, . d (ommmx 

fnE-b^*Ur^ll^*^'BulEsgir3r^T7*;l^h^i- 

«T^f'^7 r ^ ;P 2 4 a {ZjESd L^tfgS I P^.. MIE^^W 

h t m uzts^ I p A^BtriET'StR iti 

;K'J ^/-^^«^V^T i«lWl3T7 h i: LT^^il 
[0043] (XT-yrS4) T1i. 7t 

u T -f mzmmf^^^^i^-yim^x'^ i. j; o 

oT^^I), ^J;i(i\ APP-CiS. 7'-h7^-xr^-y 

BylS-fe=^ ^ 'J r ^ ^^*^^>*M$n/::B?iET 7 ^ ;u h^^ 
m^n- 7T-f;l^24a{;J;-? T ^l3g:«r(0 1 tOii)^^^^ V 
i^~lzmtXTy^f\^hbLxm^^tLhXoiz^j:'>X 
v^s. :Lcotzi!b. jj-'^l^-^d, **W;:f 7:r;Pht7) 

[0 044] :«-*f*t^7T^;i-&StX-ri> (xr 

■y7"S5) *>\ dc7)m'{i> BUlE^^W^^n/fS^g|57 
<D7r^ )l^m\l>zm^^ i i: ti^X't S i d t=5roT 
[ 0 0 4 5 ] li/i. ^W^ioSfKai^L-^K- htU:>]S 

mmm (xr«yrs e ) -c{±, ^tffjssi: lt. mIe 
I Pi)-«fa53 3 . i^mmmm4 rw^^- 
ymm sizMmix. mmi pm. mmmmm 

muf. mmmu'/im^-ftw^z. mi yr 
i^vr^ mmB^mt^i}^mt:i^x'^ixo 

[0046] vxtx'B.^^titzmBii. mim^n^m 

1 9 (r>mm^m^mm 2 4b 
m\>^xm4 13XT «y r s 7 -c'^-r^^f j&^utT ^ii-s . 

[0 04 7] i<7)#)i5:ll6<7)7D-f-A'-MC 
[ 0 0 4 8 ] * -f. mUy^--? -y h^magi52 6 

*^ mimmx'^^uzmfimmiio^m'otii 

I. m^cr,yt--7'y Yi^z^mmmi. mi9!mk(r)m 

fin^S-|uierL-n^1^ttgg2 l{:^Sfi^tS (Xr-yr 
S7 - 1 ) , c:c7)7=r-v-y h^^J^ti, mm. Wr^ii 

m. m^mff. 9>{MsX9yr<r>mm. nmyn/^j 

T ^v^imro'j^^MzX -5 TM^rS 7 51— V-y b 

[0049] ^Jxti'. f tpc7)i,#^iei|Lfc^lc7)o 
(syslog) *i|17 ( a ) tC^-f iOT'J) 0 . f t pC 
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fcJt-l.7T-f;PO^il5rieilLn:m2con^^ (xferlo 

g) *^7 (b) i,z7^tt(7)vhit-rh. :izx\ m 

B#^. P. yr'fyWX. 7r^/l-«, Ik 

httiib. ^(Dmmmmx'ii. Mfe7:r-"7-yh^^3!a 

117 ( a ) tmi ( b ) c7)S^O;? 

[ 0 0 5 0 ] OV^-C\ Hin^^ttWS'Ja52 7**, mlBM 
-a^maS2 1 ictSlrt$iifc|5l--f i.{cov^TO 
Pi/"ll£7)S-^tt^fiJ^iJt I, ( Xr -yrs 7 - 2 ) , 

COO5 1]0iJ;c{i\ iHj-^'^yht fC. f tpi7)i) 
f^t^MUTieil^il^C^Oi/ (/var/log/all.log) tt^M 

10(a) {:S^-ri<7)t'J> 0 . |giE(:g5-ri.Oj/ (/var 
/log/auth.log) *^iai 0 (b) l,Z9^-tijCr>X%l tt 
1), C^f. HI 0 (a) <7)S5^{4, {^,B,B#^, 
tf-A, T-^y mi<li^-t'X) . [P I D] i) 
# (g^^I P. T:^^yh^^ts) ) t^r^TfeO. Di 
mcrtim^mtiyt--?-/ h^^-~^from<^ij<^X'$) 
I), HI 0 (b) coo^-^^ti^timi 0 

(a) C0n^'c7)iea!t;i-C{4a6l>t. 9. 16. 17fr 

[0052] H5fES-^14^J«'JgP2 7f4. MfB^o^^?:, 
f)iBo^»rn^'9A4i0a«mtT©t)itJ]^* 

mXU. ^T-'ty^i Sr^-t LTMiem O ( a) 
0^^^5^lr^^)'5I^^LT. fflBiaiO (b) fcJtUS-fl.. 

^ (^L<{±-9--t';?.:S) 7Ti^Uf-^ttWl^$ 
ilTV^-g.*»^>T'J>^, -:trP ID (7-n-bXID) {4. 
7 r y X ^ ^'Jc0fElft'{4l5l-P I D(7)|Bat*<1gia[Oo 

[00 5 3] zcoxo^j:Mm^j:m'oti!,iijmi, ^yco 
m.izx^xm^j:i>i>(^x'h^*^i^. z<7)mmmmx' 
(4, mmiziizcoxm (;?.x7 7°s7-2) iuies 

^m-JM ( ^yrs 7 - 1 ) m^zfr oXo iZ-Th. 

;i<^zt x\ -^<r>i}mx'mimnm^i:'fi o^tm 

[0054] mz. mtix^m-^vmmsi^. mm 

^c7)7 \.z-^mtitzmimmwi.ui^im 

^ti> (Xr"/rS7-3) . ZZX\ m-^-thc^ii. 



[00 55] IBl-^f^yhtCOV^TOv-j^rA 

(syslog) a>oh. falcon:/ (/var/log/info.lo 
g) 1(a) l:^^-rt COT'S) 0, m2cr>x:iy (/va 

r/log/auth.log) A^ia 1 1 (b) iZ^jk'fhi^X'hhim'^ 
ZCOWi^. -fe-yxayPID [242 
5] Of t p-b'yv-3 y{4^iEr^-feX<7)^l^7&>S)|., 
U^L. lllOa/&^l>IS0T14. fO^JiP I D 
[242 1 ] c7)3lHlA:>3t3t)-r*H;Sl.miKt\ -eilS 
;ti>P ID [24 25] fcOJio 0 t U^Rimti^Ji-** 
<^^rvv i£t;:ll2<?)n^iz{i, P I D [ 24 2 1 ] o^ 
EOfB^*^'SoTV^T . P51-dn09.***.ne. jp^^V/P- h 
yt-X (BruteForse) 5-fi:gKfCV^|>(7)*n4o # 0 
m^^, Lti^L. Z<^u^l)>hX'li^cr>7^-y:^tf^&p} 
lt:ti><r>mmii.X'^^j:\>\ tfz. Zcoa^UiP I D 
[2421 ] co^{4^^\ 

[0 0 56] t*^L^*^'^>. C:il'^c7)i)|i(4lll 2{CS^ 
■r^Di/ (/var/log/all.log) iM.lbU'y^ ^ tmti 
TV^S, t^shh. ^(n-'%<r>TS-j9\X. 2/16 15:0 
9:043&»/i>t&^->Tl'^T. ^PtiTe 1 net^fiJfflL/:: 

[00 5 7] COip^r^^ti. HI 1 (a) . 11 1 
(b) Ol@^c7)n^'*»/i>{4#-i.C:i:*^-C#=5:V\ 
Z<7)2-:><7)u^^m^lx-!^Vith'mti^hl<7)X' 

[0058] WT. ccolim^ooi7ig-^:^ratcov^ 
xmm'ti>. 

[00 59] z<7)aym^mm^2 8ii. mmuzyt 

6. t^xh-h. Br:&uzXoiz. mm. f tpt^^u 
xii. ^ii^mm^tyr^ji^mmttm^coay 

yr^JV (US (a) ms (b) ) HfEll^il-S. C 
iX^>2ooni/{i:7s---7-y hA^'M^I)i;<7)T'J)-g.*^ 

, **i6t=^-& Lfz<DX'ii^mmfro Z t ijmrnx' 
hh, :L(r>fzi^. 2-:>con^(D9^im^Lfz1jmX'U 

[0 060] U-L, ZC0Xd^j:m^z}i\,^X. ^miz^k 

hcoii. 118 ( b ) oo^tcf t pcDmi^^m^-t^m 
^*^'^v^>itf $)i), m8m/m9cr>mx'ii. f tp*^ 
-'yLf)'^j:^^tzib^(r)mmimx'hii}K mni. m 

-B^^MHumo f t p-t y 3 y*iS>l)ii^H{4-?- 

[0061 ] zer)tztb. ZcommmmX'ii. ±iiaym 
^9m^2 8X\ a^^7r-f;K7)#^T3!)^t'0-b>yi^3>' 
l>zm-tli}>i:m\l, mth-t y 3 ydqFBJjSr^ JrJg 
tJJ'Sr-b -y 3 ytcS^tt-l.3i!iS5:^TO . 

[oo62]iii3(a) mmm^wizm^<7)-t 7 ^ 
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3y¥hh^<7)mi^v^^ (syslog) <7)m. mi s 

(b) (im2c7)o^^ (xferlog) <omX'S>h. C:«02o 

mmi<zyt--?y hm-ifzm. ^(7)ui:^'m-^mmu 

2 8 T-^^ yymz^Kfz CO i co^^ll l 4 

[ 0 0 6 3 ] ^ios 1 4<Dm^-:^^ciyxu. m~m\ 

iZmmiX^-^l-t -y y B yi)<$)'yf^'0 . |5]-I PA^'^CT) 

[00 64] La)tz)!b. ^<r>uym.-^mm2STki. 

4 ) . Zcom-^. mimi 3(a) iOnj^-^P I D^lZ 

^-^ y-c'$)i. i: ww-cs hm^mth 

i:.lll5(a)~(c) i/Z^-rX d tl. 3':>c7)-fe .y 
^-fe 7 3 ycT), P I D , I PS-l/'tgigB^raKiEl 1 6 

^^•rj;dT-J)-i)tf'JSiJ-t'g. (XT7rs7-5) o 
[0065] zcDr-^^^mmthzt x\ Huien 1 3 

(b) on/{4, HI 7 (a) - (c) tc^^fidtcv^ 
[0066] mtiXJ^'m-^mm32 8 {4, huIBUI 1 5& 

r/mi7^-<z-/i^3ym^ J^x^yrimz^^x. m 

18 (a) - (c ) (O^Sk^n^ (;^T7rS7- 

\:imm2 2f^iz^mti^. 

[ 0 0 6 7 ] ov^T', mim-l^mWf^ 2 9*\ m$m 
^^tifznyi:^ yr>'^)'r>imzm.-9i-fh (Xf 77' 

S7-7) , z<r)mmmx'\,i. mm^m^mnML 
ummmzm\^fifzuy^m^L. ^^^^co^'€ 

r-'ty^ iz^SLxmm^'fr 

[0068] oV^t\ H5fBo/^«fJ!iaa53 0J4. fflB 
(OJ: 0 l,z>m^titzo^'y r^)limm tX^iET^-^ 

7-10), ^am. m^LfzXo^z, mt'^i-\'^ 
xoizmi^iim^^tixi^htiih. m'i^m^^m 
mzn'yx'€< :itiMmi,z^j:h . 
[0 0 6 9] ^-r. XTyrs7-8c7)mmi p^vrm 
mx\ mmm^^tifz ri^nii pj ^t<(4 rfg^i 

P J O^tiiMSSrff ^ . if^ I Pt^lSS^iiT^c I PRl/ 
H^-f y{4. aT<ommVrM^ti'h9\-^tilzti,z^j: 
ov^t', 1^^ I pmcr> I p^L< {ifriaffis i p 
ttxm^tifzipcDo-h, mmm^LLtzip^m 
tai. z<^i pizmthn^immth. 
[0070]yi:tc, ^Tyrs7-9cr>T^iEm}mm^ 
in^mxn. mmms^b Lxn^^titz^mm\'<7) 
mmiT^mm^mtixtkaat. mpr^iEmmwuz 

[007 1] <XtC, ;^r7rS7-l Oc7)VN-^'-y:JJ-:W 



-ytco-mmt. ~WLLtim^i,zyr-lET^^:^t 

iX^iHi-l. ;c7)A^-y{4. B^WSt^tifzLcT^X' 

hh^ttimtK. ^<Dtz)^. zcommmxu, n 
m^titz^-^^-ymsiw^-^^fy tJ\^hmmy 

3n^oTv^l,, ;i<ommmx'm^^h^'^^-ym4 

oommxh^. 

[0072] &mz. mAcDXT yrs 8Tmt&^^: 

mzmtxmui. m^-<m^^x'^m^tLxm^^ 

ay^zMlX. T-iET^-^zxmf^mzmtfzyy^^ 

iLxxmmmmMim2 3 izmmt^ . 

[007 3] ttz. Z<DXo izmm^tLfz^vi(^^^ 
Tyt)ih^Vr^n-yT-()U2 4aiz^i^^tih. mi 

fz I pt^hhm^i^zii. lis I Pim^ I p t Lxmi 
ryt)Uhmmyr^}\^24ai,zt&m^tih. 

[0074] ZcoXd^j:mmzXriii. W^cou^yr 

x\ mk(^uyy r ^ }ixummti z t *>-c-§ ^v^^ 

iE7^-^Xi:m\!titi:ibtMmiz^j:h. tti. Zti(> 

T^mLtzmm(Dyt-^y m-um^^m-^tm^zm 
^\i^xmm^ti^:b^^. ■b^^ux-fta^tciss=sr» 

[ 0 0 7 5 ] ^of&B^{4. ±ti-'mnmmizm^ 
^ti^i>cr)xm<. mm^t:mitKi:\'^mx-m 

[0076] MiB-|IStJgST{4-9-WN'2 $rS 

mw^t Itzti^Mzm^^tL^ h(r>X'ii^x< . 

m^^m-hXo\z.'Lx\,%\^. 
\oo77\tfz. iM-%im%x:\i.. z.(mmty 

y^TJ^JkUtmt LXm^^iXX^^tztiK C D-ROM 

mi.zim^titzn'v^'-'y'/yv'0:Lrb Lx^mti 
wmm,mm-ti>h(r>x%->x 

[0078] 

-f 'm^\.z■mm:'m.'^m^^:msr^h z t ^ir 

[01 ] z<mBm~mtmmt:n^-tmm'm. 
[112] icoiim^ioc7^<7)ieii:^s^^-tgiB^i, 

[113] i<^IIM?g®<7)a^^^Sfi^;^TAS:S^-r<aiii&<8 
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[04] z(Dmimm(Dmv&>mjM^^-tyti-^^ 
me] mm<^mmJM?:^^tyo-^^-h. 

[010] miE^^<7)mmmi^^tm. 
[011] mm^^co^mM^^^i'm^ 
mi 2] mm^i/co>mm^:^stm. 
mi 3] mmr:3y<D>mmi^tm. 
[014] mm'o ^'commm^^s-tm. 



•RAM 



1 2- 
1 3- 

14' 
1 5- 
1 6- 
1 7" 

1 9- 

2 I'- 
2 2" 

2 4b" -mmmk^^vrmy r^)v 



[01 5] iiftn/c7)5Jia0i]^*t0. 


25- 


"^^^fl^iSSg? 


[016] iifia/io}!aaw$-^F-r0, 


26- 




[01 7] afin^''cr)3!)ia«?|$:^K-r0. 


27- 




[01 s\mmuy<r)mmt:^-fm. 


28- 






29- 




i-u'/^mi/XTJ^ 


30- 




2-'^-ji 


3 1- 






33- 




4 "0^^ieiirn/7A 


34- 




5"-Oi?'1Sil7-n^'9A 


3 5- 




7"-^W^D/tg|rtgP 


36- 


"^^w^aRB!*53!aasp 


1 1"-CPU 






[01] 




[03] 




3: 



♦ 



.5 



t 



CPU 



RAM 



14 



5!8' 
31 



30' 
33 
34 



35- /<»->»<HB 



38 H ^y«i»fibittg» 



—7 



-19 

-24a 
^24b 
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[02] 



[1341 



(a) 



7:^';^-2/ i:/E 



4A 



[051 



38 



--43 











Py^T-TA^A 






\ 





















!i4f:?/-f JUA 



START ) 



>S1 



T 



flFV I P. £9 I PBm 



T 



]— S4 



T 



I 



T 



"Vs? 



[06] 



( STA. IT ) 



T 



-S7-1 



X 



— 87-2 



I 



h-87-3 
S7-4 



I 



S7-5 
] — S7-7 



1 



I 



]— S7< 
] — S7-9 



[US] 



9Ma =MEk(=H'<fe9lt^«s 

*-1 Fab IB a:n:SS dartomat iii.ft|id[noi] :ean«si fron IiaOMOS m 

t-2 Fob IB If :n:40 darfcMtcl ftpd [1901]: FTP UI6IV RUi: 110. m. 105. [liam. tOe.«M].i 

M Fri Fflb tS 12:n:OI fOOO 1 llO.m iaS.«M 1I73I /vtr/l«^cxuux b_o r root ftp 0 « 

b-2 FrI Fib U t2:29:03 1000 1 RO.nZ. 105. 06)5 /vir/ioi/uxi bj» r root ftp 0 • 

b^ Fri F* U a:»:ll 2000 1 210. S2. 105. ««* tfll /var/lo|/uoui fa_p r root f tp 0 • 

b-4 FrI fflb IB 22:29:16 2000 1 210.212. 105. «w 2130 /w/lot/mm bji r root ftp 0 • 

r4 Fob U 2i:n:« dtrkanpl ftpd[2B0>]:nP twtloa olCMd 



r 
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mil 



•ill «y«lo|CJ:«ftpOSfi 

«.1 F«b IS B;I7;S dtfkttictl likftodCmU 'oaoRMt f rai m 282. tOS. 

ft Nb IS a:l7:« d«itnitl npdCS901]:FTP LDSIH FRni:Zia23L 1QS.M* [HO. 131. tOS.***], root 
fl Nb II B:S7:« ttrMnpl ftpd[»01}:FTP MOtioa oloMd 

mm m^n7mMar\c^Ka 



/K\ b-1 FrI M II K2:M:m 2000 t 2ia2».lCS.»» \Vm /Mr/lot/aauoa b.o r rwl f tp 0 < 

^' b-2 Fri M 18 Z2:»:OtOOO I 2IILm.lOS.««*n35 /m/loc/xxn bjB r root ftp 0* 

Fr! Fab IS 2t:2S:11 2000 1 2 la 222. 1 OS. «w 2S17 /m/lot/xmxn b^ r root ftp 0 < 
b-« FrI F«b IS 12:29:18 2000 I 2iatSll08.«M 2830 /m/loi/ioazii bjs r root ftp 0 • 



m9] 



ffiD Bit :ia -^fcfX PID IP Tft-^l- Ml 



o-t 


Fib IS 


22:27:3fi 


irvftpd 


2801 


2ia222.ioe.«M 


ft 


Fob 18 


t2:t7:40 


ftpd 


aoi 


Zia232.10&««» 


b-1 


Fob 18 


tt:t8:«1 


ftp 




tiatsi.ios.^ 


b-2 


Fob 16 


22:28 03 


ftp 




210. 232. 105. «M 


b-S 


Fib IB 


22:20:11 


ftp 




210.232. 105. «*• 


b-4 


Fob 18 


22:t9:l« 


ftp 




2iat3t.io&«« 


t-3 


Fob IB 2t:t?:4t 


ftpd 


2901 





ooomet fron 210. 232. ICS. «w 
root RP mm F8« tia 23Z. 105. [210. 232. t06. m*] 

root 187K /vtr/lof^ixxHDi b.o r P * 
root B6SS /v«r/loi^xi b_o r 0 • 

root 2517 /vir/lof/xxxnju b_o r 0 • 

root 2830 /vor/loi/max bjo r 0 « 

FTP ooiilon olooid 



[HI 0] 



3m4 Aor/lt3/iil.iate«l 

OM M 0141:11 M ii^ii tm: lUMBl: ^/^lA^s Mrvirr wA. mam anffe 

M n OimiU m MRMI{4ai]: Vmmn rmmw. ili^m ilMi»<l|rl^W^ti*l,-nl»fllliirmiiitU<lH|IB.rHH nwl 
Mt n MSK-.n m mmtma: rajntd iiwiillw M mnmf 

m n m tMdMICMQ: fiUOOn: R3BtaM): OmrM mi AIMnlMriMlt: =rt aOlr-rtsr 

m u mnsm m hmmkwi]: ihmw: t»«M. iiiMrwii gm, Mv^oam «iv«4o« ■rii.-iHii. mor 
•tt a 9i-Jmm m ii—tniB; nInM lOMtlM M wivt 
•iiBOi:B»«t BWjwHom: M MMi^KinrMraMviv Ortow 
o< a 9Kmm m naunojiim! (irf i ii i ii^<i»irwMy 
OM a l|:Mdli» hi toMMKMl: iww t firw ttit l m.t^mKtr,lf 
Qrt tt M NMiAEma: <lail4 HHlai ^wK •» iMr MkaHh :v tilM 

M a tt:a:a m I^HiflNBl: UMI m ttwD R Utaltll fV «MlMBltife(«.Tmir.j|» 
(a) «a a tt:a:» » mjMACOa] : Cl«fl« Mtilw •imti wir W Wtt 

M a » Ma^cmi]: Cn) mmnh imari fi» mv >wt » onrtwiweci 
M a ti:»:a a IUM*[im]: M MMtai •tmi ftr cs» iwt 

a u:«i:fi ni iWioMi: nriMnna flM»«LtBta»cj«.ir.jv mtn.tjLaii]. nrt 

M a Q^asB n lii ngtma'' mtmt ttm wrfi n.t«fc»fc*w>.tr.> 

Ort a n:c:« a li.tohvWtlieQ: eoMt ft« •HtMLtriM.MHir. J> 

Oot a n:D:il a RP^OOI]; (ttftiO tmlmmml ttt m» Mkaritli kt hMI 

ort a n:inii loinicon: inn a ttso ir kiMth fK^ M«iKa.«*i«.Mi^w.j» 

Out a m nvjs*(a5Q: (losid santai •IomO tar HMT kibitoi 

Ocl a 1l:D41 m ntjAWfi' M . Jnia vmO fir mr Mt If blMtttolMD 

Out a I4:a:a n mj=muna: M mt«« tioMi Hr m« im* 

M a H:a:n ■ ftoiCnQ: m a-na im 



•915 /w/lil^iStb. lifCDSI 

Oat a tt»:H » lk.til«wti[am: mmm* Hm m>at^a.t^mt.w. h 



[11163 



3«|13 

«9'y9>« PID IP tftfiWB 



FTP'b9S/|>3 



2801 210. 180. 78. 1)8 Fob 18 22:27:36-F* IB 22:11 :Q3 
tSOS tiant. tOS.«M Fob W n:28:QB«-F«b IB »:30:42 
t807 StaiK. 105.o«» IB a:30:SD-'F* IB 2t:68:t2 
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[0111 



•flia /wr/loi/infB. lolOiW 

(a) F» H Wigiw mntmi mji^om: OmM mwIw nwnd ftr nr mttt » w*o 
wwis:0:<i i«iaa):Lfiaaitwoirkiiidttfa90«aLt«t»i» 

F» W «:a:41 dIhteiMl PVUiiACMS): OifW Mia tar vmr bllnitt 



MI7 /Vir/lDi/cb-JL lQS«&A« 

Fib t« 1S:a:M tertapl l&tilmfedCM8]: tciffim f»w mtBitll.ttt 

M II tf:ai:tl ftrtMwM ltil>: MUB UBIl I HD |«>-MI. r-. J» FOI felkaltk. MmOlt^m Mtan 
M II liSB*^ MiBwi l«fli): WLB mm l HU pit-dnOLMLo. FOI blteitH M».tla«kl«l MlM 

U II U:M40 iwtawl hiKli: m mff Ua» itia O r«(lpl1«MI.««Mii.^ fa knaMu Htt olwM Miter If rf»i« tar iwvIm. 

F» II 1l:ll:n MmI l«.ttlMltfDHai: «om* fr« naViUKIM 

M » uMidi dwiwoi iMta: F&iiB i nei pShmlmi.b jp m bUisiih. 

FA tS 11:11:41 ^MMttl Kfin: MIIB UWI 1 m pfKMMV.c. ^ FN btMn. MKattliittw Mhvi 
Fdi tl 1l:a:S la%M»l latataittfBOO: cRWt friB liaiMmtfll 

F» tl 1l:n:S lwta«»l IwkrC fftll0 Ml 1 rOI p<KMl«M.ia.^ FN bitattli. MtattlMUm Mhn 



[012] 



DUB /vir/1oi/itl.laiOM« 

Fri) ra tl:ai:C< ivhMpI i&UlnrtdtMM: wmMt frM lULlMinLMI 

rrii M »:0l:2l darknpl Icfiii: flULD IMU 1 FBI fS1-MlL««LML Jp Rl Mnltk. MmtloMia Mlin 
F* II ti:v:4l Mami l«tiB: FUL9 LKM 1 flM iin-«MI.«M.« Ji FOI bfkirin. MftMtlciUN Mlon 

Fib tl tl:i9:GB terkM^t loiiii: TO twr LKIIt HIES GP Flfli»51-«rtl.«w.iKip RH blMh. HK ^utid min aafeir vf rafrlM far wrvlw. 
FA M T$:10:0e terfctmil POjtAOWV. 1 wtfaHtlMtloB fftlture: blMS bllMrifli ftr IvInMrvloi 
F* tl lS:ll:11 iarkuml lB.t*l»triCM2a: oirai frca tiaiS4.inMI 

F» tl 1S:ll:a tekunl Iflcin: RtOS tMII I « p1l-Ml««ikM. Jb FOt llbmoi. MMtiMtioa fUlara 
FA It 1f:il:«1 dirfcMpI Iwin: FUIB IMU t FU pIMLmum J» F« blMta. Mbokiartbo Mhn 
FA II li:s:ii larkiwl iaUloBtdCMM: omiMt ^aallfll1M.1H.Ki 

FA II1S:S:9Z *trkmttl lodn: FWIS UMS 1 F«l pIMML w.m J» FOIblbnllhl MfeHtlfliiiBa lUlora 

F(6 IS is:a:«l terkasvl P^^tMS]: (iairi) nMi« spand Ibr ««r fcllMitb by bMHf> 

FA II is:a^1 terkmpil lailBlUS]: UHII « ttypO if blMth FW d4MbOL^ Jp 

FA II 1i:s:4i terbMvi P«0«frDaBl: (l«iln} mmIoi olond tbr vm bUMltb 

PA II 1l:»:4B IvkHvt F«^{MM]: M wnIob kmI fbr mr r«pt tv blkaHh lilM) 

FA II 1i:ii:iB IvfcMpI NVjiADIMI: tad nmIm «iand ftriMr rett 
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fl f«b 18 22:t7:3S darUftpl livftDlLtSOl] : oomut rra ZW. 100.79. 1» 

•-2 F«b 18 B:n:40 dirUmfl nsd[290n: FIP Lifiil FlOi IlOLl9a7B.13» [210. 1 8a 71. IM. rent 

•-3 F«b 18 t2:M:0B 4«rkanffl la rtpd[n031 : oorawt frm 210. 232. lOt*^ 

1-4 Fab 18 &:n:08 d«riun«ii ftpd[2803]: FTP IflBil ftOt 21Am.l«B.«M [110. m.ieB.«M]. root 

t-6 Fib IB e:80:42 ijrkMftI fM(2M3]; FIP mmIot oteiid 

•-6 Fib 18 a:|0:B8l<rkanctl iaftpd[2S07} : sMMt froi 210.nL 101 m* 

•-7 Fib 18 tt:80:E3 dirkvicbl ftpdia071: FIP USII FBI tiain. 108.*^ tll0.miC6.«M].r9«t 

•-9 Fib 18 a:ll:08 4irkMi|fll ftBdWOt]: FIP tmloi oI«m4 

1-8 Fib 18 a:58:B darkmifl ftpd(1809]: FIP tulm oIomI 



b-l Fri Fib 18 a:t8:0t 2000 1 »0. IM. 71. 1» 18731 fnt/\^%haaxtx b.orreetftpO* 
b>2 Fri Fib 18 22:29:03 2000 1 tia IMl 7*. 138 U3S /nr/lot/nn b.orroolftpO* 
(b) b-3 Fri Fib 18 8:S0:a 2000 1 ZiatU. 2SI7 /w/ln^mm b . e r root ftp 0 » 

Fr( Fib IB a:IO:67 2000 1 nO.ni. m.m» MO /mr/loi/knin b.orrootftpO* 
b-6 Fri FA » a:»:ei 1000 1 »0. 180,78. 19 18 /Vir/loi/unn b . a r root ftp 0 • 
b-« Fri Fib IB 8:15:03 2000 1 SlflLttZ. IQK.«m naS Air/lif/km b . o r roit ftp 0« 



(a 3) )02-318734 (P2002-318734A) 



3MII 





Bft HM 




IP 






t-1 


F*b 11 tt:n:» 




IBOI 


tlO.1B0.7l.13B 




oomRAfna 210. 190.10. 130 


•-2 


Ffto tl a:l1:40 


ftpd 


2901 


210.180.79.139 


root 


n? Loaii Fm 2ia ibo. tb. tso aia ibol ti. i»] 


•-i 


Fab IB Z2:Z8:0S 


iaftpd 


3901 


210.231IOS.«» 




oemoot fna 210. 212. 106. «m 


a~4 


Feb IB 22:28:08 


ftpd 


Z909 


210. 232. MS. «M 


root 


f17 LOQIH FROi 2ia 231 1 01 ***W0. 231 106. m*] 


1-1 


Feb IB a:tt:OI 


ftp 




tiaiBa7f.i39 


root 


11732 /Mr/lWiuoon b.o r 0 * 


b-l 


Fab II n:29:a 


ftp 




tiaiBaTt.m 


root 


MU /W/lof/uo b_o r 0 • 


1-5 


F«b 11 t2:aO;<t 


ftpd 


2903 






■ FTP MMlon oloMd 


i-$ 


FBb IB 22:39:60 


In. ftpd 


2907 


210.23ttOB.«M 




aomaot fna 210. 231105. «•• 


•-7 


fwt> IB 2]:»:63 


ttpiJ 


2907 210. 231105. «M 


root 


FTP IMIN FRM 2iat31 10&«MatL231101«»] 


b-J 


Ftb IB Z2:30:a 


ftp 




2ia232.1«6.«« 


root 


KIT /tar/lot/xwoDua tuo r 0 • 




Fib IB 22:»:n 


ftp 




2iaBZ.I96.«M 


root 


1930 Air/lec/uDoax b.0 r 0 • 


b-6 


Fri> IB 22:41:01 


ftp 




210. 1901 79. Ill 


root 


IB /nr/lai/igoam tauP r 0 • 


i-B 


FA IS 22:»:C2 


ftpd 


2901 






FTP uulfln olond 


b-l 


Fob » 22:35:03 


ftp 




iioiia.ie5.«M 


root 


a«H Atr/lot/im buB r 0 * 




1$ 22:88:a 


ftpd 


ISOV 






F1P MM Ion «f«Md 
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•0112 

• FTPt^Va^l (PID=2I01) 

ftiD B(* mta ^\£xfn if 7Jf»>^ 



•-I Fct> II 22:27:36 irvftpd 2Mt 210. 180L7B. 119 - oocwMOt fm 210. IBOi 71 lit 

*>2 Fob II 22:27:40 ftpd 2901 210. 191 79. lO root FIT LOBIN FROi 211 190.79. 139 [210. 191 79. 139] 

•-8 Fsb II 22:31:02 ftpd 2901 - - FTP uotlon sloMd 



nio BH ma it-ifx pip if rxtovK w$ 



1-3 Fib IB X2:2S:0S ln.ft84 2903 211 231 101 - oorract f roi 211 232. 109. «w 

M F«blBa:2a:0B ftpd 2B03 211 231 101 root F17 UNII FKi 2ll23110S.«M[2ia221 105.*w>] 

■-B Fib II n:30:« ftpd 2903 - F1? Muioi oloioi 



• FTP'teV?.'9l/S<PID=290D 

ttiD B<t mm It-ex pio if 7JiO>h w 



(c) 



Fob 18 22:30:S0 iii.ftpd 2907 211 231 188. «m - oocmot fra 211 231 IOS.m* 

ft*7 Fob It 23:30:83 ftpd 2907 211 231 UH «•* root FTP UNII HDl 2llt31101«M[|11232. IOS.«m] 
•-0 Ffb 11 22:80:82 ftpd 2907 - - FTP Mwlcn oloood 



(a4))02-3 18734 (P2002-318734A) 



(a) 



(b) 



[01 7] 



b-t Fflfa II n:tS:<n ftp - no. ISO. 79. 138 root 18732 /Vtr/loi/^onxx b _ o r 0 « 
b-l r«b tl tl:2l:a ftp - 210.190.79.139 root 1638 /Mr/lof/km b . o r 0 * 
b-6 Fib 11 22:31:01 ftp - 2ia 180. 79. 139 root 13 /vir/lei/uxxx b . 0 r 0 * 



AID Bit If^lfA PtD IP 7St^>h Mff 

HattL 



ffio an »« ifwgx Pio tp 7ii^>h un 



b-3 Fob It 22:30:55 ftp 
b-4 Fib It 22:30:57 ftp 
b4 F* II 22:3SL0i ftp 



210.23t10S.«M root 

- 210.232, 105. root 

- 2ia23110S.«** root 



2SI7 /wir/lD(/«aiKU b _ 0 r 0 * 
2N0 /«w/io(/OQtxn b ^ 0 r 0 • 
ms Atf/loc/tatn b _ 0 r 0 • 



[HIS] 



«iR15 



• FTP-dvt'aVi (PIMWI) 



(a) 



(b) 



(c) 



ftl D 


B4« 


■V— ex pto IP 




91* 


•-1 


F* 11 22:17:35 


In.ft(i4 


2901 110190 79.138 




•omaot froa2IO.l90L79.139 


•-2 


FA 11 22:27:10 


ftpd 


2001 2101 190. 78. 139 


root 


F1P LOBIN Fn 210. 100.79. 138 [210. lOOi; 


b-1 


Hb 11 22:28:01 


ftp 


- 2io.tga70.iS8 


root 


187n fwrnnfvam b jo r 0 • 


b-Z 


Fob 18 22:21:01 


ftp 


- 218118078.138 


root 


M36 /rar/lot^im b _9 r 0 » 


V4 


M 11 22:11:01 


ftp 


- 210180.78.138 




IB /tfip/loc/knaiii b j r 0 • 


w4 


Fob 11 22:11:02 


ftpd 


2801 - 




FTP lOMiai oloMd 


F T ■ > 8 1PI»'2803) 












an ma 


i^tfX PID IP 


r3b9>K 


•ft 


0-3 


Fob 11 22:26:C9 


la ftpd 


2803 t10.2K.10S,^ 




ooMMt rna 210232. 10B.«M 




Feb 18 22:28:00 


ftpd 


2103 210.131.106.^ 


root 


FTP LOaiN Fra nOL 232. 108. 4M(210. 282. 


»-6 


Fib 18 22:30:42 


;ipd 


3003 - 




FTP ooMlon oloifld 














BM mm 


»-ex pio IP 







oH Fib 18 22:30:80 I& ftpd 2107 210. 282. 189. - 

f7 Fib 18 22:30:63 ftpd 2907 210 232. 105. root 

b-3 F* II 22:30:55 ftp - 210 232. 10B. •«» root 

M F* 18 22:30:57 ftp - 210. 132. 105. •» root 

b-8 Fib 18 a:3B:Q3 ftp - 210.222. 106. root 

i-8 Ftt IS n:88:2t ftpd 2107 - 



oonaoot frca 210.231 IO&«w 
FTP UBIB FfM 210.292. 188. •M[210. 232.1 08. 
2617 /m/lot/nmn b jd r 0 « 
2810 Aar/loB/tatn b j9 r 0 « 
8828 Mr/lQg/toi b JO r 0 • 
FTP laooiono 
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